Pass current EAP state machine to
BIO_from_keystore().

Previously, we would retrieve the EAP SM
from tls_global. However, there may be an
issue if the underlying EAP SM object is
de-initialized using tls_deinit(), but
tls_global is not cleared out.

Bug: 276478806
Test: Manual test - see b/276478806#comment15
Change-Id: I519de8f189f7f3834f494e2906a4e63e11a8382f
diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index f281b71..01b17b2 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -223,23 +223,29 @@
 }
 
 
-static BIO* BIO_from_keystore(const char *alias)
+static BIO* BIO_from_keystore(const char *alias, struct tls_connection *conn)
 {
 	BIO *bio = NULL;
 	uint8_t *value = NULL;
-	if (tls_global != NULL && certificate_callback_global != NULL) {
+
+	void *cb_ctx = NULL;
+	if (conn != NULL && conn->context != NULL) {
+		cb_ctx = conn->context->cb_ctx;
+	}
+
+	if (cb_ctx != NULL && certificate_callback_global != NULL) {
 		wpa_printf(MSG_INFO, "Retrieving certificate using callback");
-		int length = (*certificate_callback_global)(tls_global->cb_ctx, alias, &value);
+		int length = (*certificate_callback_global)(cb_ctx, alias, &value);
 		if (length != -1 && (bio = BIO_new(BIO_s_mem())) != NULL)
 			BIO_write(bio, value, length);
+		free(value);
 	}
-	free(value);
 	return bio;
 }
 
-static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *alias)
+static int tls_add_ca_from_keystore(X509_STORE *ctx, const char *alias, struct tls_connection *conn)
 {
-	BIO *bio = BIO_from_keystore(alias);
+	BIO *bio = BIO_from_keystore(alias, conn);
 	STACK_OF(X509_INFO) *stack = NULL;
 	stack_index_t i;
 	int ret = 0;
@@ -280,7 +286,8 @@
 
 
 static int tls_add_ca_from_keystore_encoded(X509_STORE *ctx,
-					    const char *encoded_alias)
+						const char *encoded_alias,
+						struct tls_connection *conn)
 {
 	int rc = -1;
 	int len = os_strlen(encoded_alias);
@@ -297,7 +304,7 @@
 		if (!hexstr2bin(encoded_alias, decoded_alias, len / 2)) {
 			decoded_alias[len / 2] = '\0';
 			rc = tls_add_ca_from_keystore(
-				ctx, (const char *) decoded_alias);
+				ctx, (const char *) decoded_alias, conn);
 		}
 		os_free(decoded_alias);
 	}
@@ -2902,7 +2909,7 @@
 	if (ca_cert && os_strncmp(ANDROID_KEYSTORE_PREFIX, ca_cert,
 					ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
 		if (tls_add_ca_from_keystore(SSL_CTX_get_cert_store(ssl_ctx),
-				&ca_cert[ANDROID_KEYSTORE_PREFIX_LEN]) < 0)
+				&ca_cert[ANDROID_KEYSTORE_PREFIX_LEN], conn) < 0)
 			return -1;
 		SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, tls_verify_cb);
 		return 0;
@@ -2923,7 +2930,7 @@
 		alias = strtok_r(aliases, delim, &savedptr);
 		for (; alias; alias = strtok_r(NULL, delim, &savedptr)) {
 			if (tls_add_ca_from_keystore_encoded(
-					SSL_CTX_get_cert_store(ssl_ctx), alias)) {
+					SSL_CTX_get_cert_store(ssl_ctx), alias, conn)) {
 				wpa_printf(MSG_ERROR,
 						"OpenSSL: Failed to add ca_cert %s from keystore",
 						alias);
@@ -3487,7 +3494,7 @@
 #ifdef ANDROID
 	if (os_strncmp(ANDROID_KEYSTORE_PREFIX, client_cert,
 			ANDROID_KEYSTORE_PREFIX_LEN) == 0) {
-		BIO *bio = BIO_from_keystore(&client_cert[ANDROID_KEYSTORE_PREFIX_LEN]);
+		BIO *bio = BIO_from_keystore(&client_cert[ANDROID_KEYSTORE_PREFIX_LEN], conn);
 		X509 *x509 = NULL;
 		if (!bio) {
 			return -1;